- Security researchers find several vulnerabilities in various tunneling protocols
- The flaws allowed threat actors to perform DoS attacks and more
- The majority of vulnerable endpoints were in China
Millions of VPN servers, home routers and other Internet hosts may carry multiple vulnerabilities that could allow threat actors to carry out anonymous attacks and could give them access to private networks, experts have warned.
New research from Mathy Vanhoef, professor at KU Leuven University in Belgium, PhD student Angelos Beitis, and Top 10 VPNs discovered the vulnerabilities in several tunneling protocols: IPIP/IP6IP6, GRE/GRE6, 4in6, and 6in4, and obtained these identifiers: CVE-2024-7595, CVE-2025-23018, CVE-2025-23019, and CVE-5964.
VPN tunneling protocols are methods used to transfer data securely between a user’s device and a VPN server by encapsulating it in an encrypted tunnel. Common protocols include PPTP, L2TP/IPsec, OpenVPN and WireGuard, each offering different levels of speed, security and compatibility.
Millions of potential victims
The vulnerabilities primarily function to encapsulate one type of IP packet (IPv4 or IPv6) within another for network routing purposes. Unlike VPN-specific protocols, these are generally used for network transport rather than encryption or secure communication.
The research argues that the misconfigured systems accept tunneled packets without verifying the sender’s identity, making it “trivial to inject traffic into the vulnerable protocols’ tunnels.”
A malicious actor can send a packet encapsulated using one of the affected protocols with two IP headers, where the outer header contains the attacker’s source IP with the vulnerable host’s IP as the destination. The inner header’s source IP is that of the vulnerable host IP, while the destination IP is the target.
So when the vulnerable host receives the packet, it removes the outer IP header and forwards the inner packet to its destination, paving the way for the creation of a one-way proxy and exploiting the flaw to run DoS attacks, DNS spoofing, and more.
The researcher said they scanned the Internet for vulnerable hosts and found 4.26 million, including various VPN servers, ISP-provided home routers, core Internet routers, mobile network gateways and nodes, and CDN nodes, most of which were located in China.
“Any vulnerable host can be hijacked to perform anonymous attacks, as the outer packet headers containing an attacker’s real IP address are removed. However, these attacks are easily traceable to the compromised host, which can then be secured,” the researchers explained.
“Spoofing-capable hosts can have ANY IP address as the source address in the inner packet, so not only does an attacker remain anonymous, but the compromised host also becomes much harder to detect and secure,” they added.
